Operation and Arrests
An international operation led by the Australian Federal Police (AFP) took down the Imminent Monitor web page and shut down the sale of the now-defunct Imminent Monitor Remote Access Trojan (IM-RAT). The takedown operation resulted in the arrest of 13 of the ‘most prolific’ users of the Remote Access Trojan (RAT) tool.
According to the announcement the Australian Federal Police’s Cybercrime Investigations team initiated the investigation in 2017 after receiving a referral from the FBI and Palo Alto Networks’ threat intelligence team Unit 42. Unit 42 reportedly discovered that IM-RAT which was sold for as low as $25 was used in more than 115,000 unique attacks against Palo Alto Networks clients. The Unit also acquired evidence that tied the developer of the RAT software to Australia.
In the course of the investigation law enforcement agencies established that IM-RAT was being distributed and used across 124 countries and that it may have been sold to more than 14,500 buyers.
In June 2019 cops executed search warrants in Australia and Belgium against the developer and one employee of IM-RAT. On November 25, 2019, law enforcement agencies started an international week of action. In the course of the week of action, 85 warrants were executed internationally. The searches resulted in the seizure of 434 electronic devices that included laptops, phones, and servers. The searches also led to the arrest of 13 suspects 9 of which were arrested in the UK. The week of action was culminated by the takedown of the imminentmethods.net website and the shutdown of the IM-RAT software.
IM-RAT was being sold by a developer who used the alias ‘Shockwave’ since April 2013. Shockwave claimed IM-RAT was “the fastest remote administration tool ever created using new socket technology that has never been used before.” Like other RAT developers, Shockwave made sure he distanced himself from the illicit use of IM-RAT by among other things claiming he made the tools for educational purposes only.
“Remember that our tools are made for educational purpose, so we do not take any responsibility for any damage caused by any of or tools or services. Misuse of our tools or services can be very illegal. Certain misuse could cause possible jail time or fines, which differ depending on your local laws,” a section of Shockwave’s disclaimer said.
The “Startup” package costs $25 and is advertised as “perfect for managing a small workplace or home environments.” Customers could purchase a license through the site with Bitcoin in addition to the usual payment methods.
Law enforcement agree that the RAT tools can be used both legally and illegally. “While not all uses of IM-RAT are illegal and owning a license is not a criminal offense, the malware can be used for illegal purposes, such as gaining remote users’ complete access to a potential victim’s computer. Essentially giving the purchaser access to movement, location, online and offline activity,” the announcement said.
AFP Spokesperson Acting Commander Cybercrime Operations Chris Goldsmid said, “the offenses enabled by IM-RAT are often a precursor to more insidious forms of data theft and victim manipulation, which can have far-reaching privacy and safety consequences for those affected. These are real crimes with real victims.”
The takedown announcement did not disclose the identity of the suspects in custody. The operation is ongoing.
About Imminent Monitor
In a post on the company’s now-defunct website, the creators described the spyware as a legitimate business tool.
Imminent Monitor is an advanced System Remote Administration Tool designed for Windows based operating systems, focused on providing a fast, secure and stable replacement for competing products at a significantly lower price.
- Imminent Monitor can be used to:
- Fully administer Windows servers remotely
- Provide remote support to clients, friends or colleagues
- Connect to your home computer while you are away
- Monitor employee’s work machines
- Connect to your work computer while you are away
Imminent Monitor has been programmed from the ground up by our highly experienced developer with 9+ years of programming experience, over the years Imminent Monitor has received 60+ major free software updates.
Some researchers described it was fairly basic.
One wrote, in an analysis on his personal blog:
The task manager disabler functionality that Imminent provides is also quite bad. It simply executes the task manager and makes it invisible. Not exactly to rootkit standards, but I guess does the trick to the average joe?
It had an extensive list of functions though. Some of them were listed on another page on the Imminent Monitor homepage.
- Clean interface
- Lists all drives
- Ability to search files & folders
- Shortcuts to popular directories
- Execute files & folders
- Delete files & folders
- Rename files & folders
- Create new folders
- Set wallpaper
- View list of images in directory in a gallery
- Upload files
- Download any file size, at fast speeds
- Ability to stream at 60fps thanks to our motion detection algorithm
- Multi-monitor support
- Fullscreen support
- Ability to control mouse movement, clicks & keyboard
- FPS limit & bandwidth control sliders
- View CPU & RAM usage in the past 24 hours
- View upload & download speeds in the past 24 hours
- Ability to delete & refresh logs
Gathering Computer Specifications
Displays the following:
- Client Identifier
- Unique Identifier
- Public IP Address
- Private IP Address
- MAC Address
- Operating System
- Computer Name
- Computer Username
- System Privileges
- Installed Screens
- Graphics Card
- Ram Usage
- Battery Usage
- Last Reboot
- Installed Anti-Virus
- Firewall Status
Europol offered an infographic on Remote Access Trojans as well as a “how to avoid getting infected guide.”